Subject: Re: verified executable kernel modification committed
To: Brett Lymn <blymn@baesystems.com.au>
From: Bill Studenmund <wrstuden@netbsd.org>
List: current-users
Date: 10/31/2002 16:39:15
On Thu, 31 Oct 2002, Brett Lymn wrote:
> On Wed, Oct 30, 2002 at 09:26:34AM -0500, Perry E. Metzger wrote:
> >
> > What prevents them from also altering the fingerprints?
> >
>
> either chflags or ro media. To be honest, this is part that needs
> work. The loading of the fingerprints is something I consider that
> needs work to improve the security of the mechanism.
Or use public/private key signing, and code the public keys into the
kernel.
One other thing we could do is come up with "Official" keys. So that you
could use a signed set of fingerprints that were generated on the build
machine which made the release.
So then all you have to do is trust the builders. :-)
> > So, again, why is this better/different from an immutable flag?
With the above, you can have a trail of verification. With the immutable
flag, you can't do any back-tracking to the build. Yes, you could download
a build and hash everything then, but that's an extra step. The immutable
flag itself won't help.
Take care,
Bill